Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VII - Issue #46

October 21, 2005

If you know a great security consulting and/or penetration testing company, please pass this note on to them. We just received a request that may affect them. One of the largest companies manufacturing and selling computer equipment asked us for a list of consulting firms that can provide high quality technical security services and still meet with senior executives in their client sites. We told them we have not vetted the firms, but it turns out that GIAC certification and SANS training are sufficient to differentiate the firms that can only talk and write about security from those that can actually do it. So if your firm is a security consulting organization and you don't mind our sharing your contact information with the organization requesting the list, please send us the name of firm, what industry or industries you have substantial experience in and what countries you work in. Thanks in advance. Send it to info@sans.org (subject "Security consulting firm).

Please join us for SANS Great Lakes Security Essentials with HIPAA in Chicago on November 7-13! We have designed this special training week specifically with healthcare professionals in mind. This training is your opportunity to focus on how to follow solid information security principles, meet HIPAA guidelines for information security, and yet still maintain a focus on providing quality care to patients. Info: http://www.sans.org/greatlakes_hipaa2005">http://www.sans.org/greatlakes_hipaa2005

TOP OF THE NEWS

The Federal Financial Institutions Examination Council has issued "Authentication in an Internet Banking Environment," updated guidelines for financial institutions' online customer identity authentication. FFIEC says that passwords and IDs alone are not adequate authentication measures for high-risk financial transactions. The guidelines describe a variety of authentication technologies, including digital certificates, USB plug-ins and biometric identification technologies, but do not endorse any one in particular. FFIEC has sent a letter to US financial institutions informing them that bank web sites are expected to be in compliance with the guidelines by the end of 2006. FFIEC is an interagency body of financial regulators. -http://www.computerworld.com/printthis/2005/0,4814,105519,00.html-http://www.wired.com/news/print/0,1294,69243,00.html-http://www.fdic.gov/news/news/financial/2005/fil10305.html-http://www.ffiec.gov/pdf/authentication_guidance.pdf[Editor's Note (Paller): Read the actual guidelines and you will want to cry. Apparently FFIEC caved in to the banker lobbies. Instead of following the lead of countries like Hong Kong and Singapore that require banks to offer safer authentication, FFIEC just told them to write a risk assessment. Like beauty, risk depends on your perspective. If your perspective is mainly driven by maximizing profit, customer safety risks are not very important. (Hoepman): It's worth noting that also non-hardware based one-time-password systems, like scratch cards, are mentioned as a possible technique. These systems are widely deployed in Europe. (Honan) Guidelines are one method to encourage financial institutions to improve end user security. Improving competitiveness by offering a more robust solution than your competitors is another as can be seen by banks such as Barclay's Bank following the lead of Lloyds bank to introduce token based authentication - -http://news.zdnet.co.uk/internet/security/0,39020375,39232438,00.htm.]

UK Internet and Telephone Banking Authentication Standard to be in Place by End of Year (17 October 2005)

The UK's Association of Payment and Clearing Systems (APACS) says that they will launch an online authentication standard for Internet and telephone banking by the end of this calendar year. The standard will be in the form of a device that will generate a one-time use password when users insert a chip and PIN card. APACS said the new standard device will be "slightly different" from the token device Lloyds TSB plans to test. -http://www.zdnet.co.uk/print/?TYPE=story&AT=39231006-39020375t-10000025c************************* SPONSORED LINK ****************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Spammer's Sentence is Under Seal (17 October 2005)

Anthony Greco was sentenced in a closed session for sending nine million spam email messages through instant messages to members of MySpace.com. The sentence is under seal. Earlier this year, Mr. Greco reached a plea agreement with prosecutors wherein he would serve a sentence of between 18 months and two years in prison in return for his guilty plea. Mr. Greco had also threatened to share his spamming techniques with others. Federal prosecutors planned to ask the judge to make the sentence public. -http://sfgate.com/cgi-bin/article.cgi?file=/n/a/2005/10/17/financial/f190259D40.DTL&type=printable

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Interior Department IT Security Dilemma Continues (20 October 2005)

US District Judge Royce Lamberth has granted a preliminary injunction ordering the Interior Department to disconnect IT systems that connect to American Indian trust fund data because they are not secure. A September 6, 2005 memo from Interior Department inspector general Earl Devaney said that penetration testers were able to access agency systems. The order covers not only computers and networks, but also handhelds and VoIP equipment. The start date for the shutdown has not yet been determined. -http://www.fcw.com/article91172-10-20-05-Web

The Department of Transportation's inspector general was able to penetrate and gain root control of a vulnerable server during a recent audit. Because there is interconnectivity within DOT, other departments could be put at risk by just one department's security weaknesses. According to the audit report, there are also previously noted security vulnerabilities that the agency has not addressed. The audit is an annual event conducted in accordance with the Federal Information Security Management Act (FISMA). -http://www.computerworld.com/printthis/2005/0,4814,105530,00.html-http://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/DOT_FISMA.pdf[Editor's Note (Pescatore): The report also points out that they were able to gain admin access to a network switch and a number of PCs, exploiting vulnerabilities that had been reported previously. This points out some serious shortcomings in vulnerability management processes, as DoT also had major problems with Zotob. (Paller): John Pescatore's comment raises an important question. Transportation has invested heavily in a vulnerability management system called FoundScan. It would be illuminating for the entire security community if the Department of Transportation could share enough information to determine whether the problem was DoT's implementation or a major flaw in FoundScan. ]

Most Organizations Do Not Have CIOs in Board Room (19 October 2005)

Recent research indicates that most companies do not have technology experts involved in high-level strategic planning. The study, from public relations company Burson-Marsteller, looked at Fortune Global 500 organizations. In 2003, the number of organizations with current or former-CIOs in the boardroom was five percent; the recent study puts that figure at eight percent. In Europe, the figure is 10 percent; in the Asia-Pacific region, the figure is up to ten times greater. Just three percent of the companies surveyed have a CEO with prior IT experience. -http://management.silicon.com/itdirector/0,39024673,39153480,00.htm[Editor's Note (Schultz): If these results are valid (and at face they seem to be), they provide at least a partial explanation of why IT organizations tend to be not be so effective. As the top leadership goes, so goes the rest of the organization.]===end===

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org